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Douglas R. Smith 
Department of Computer Science 
Naval Postgraduate School 
Monterey, California 93940 
4 March 1983 

ABSTRACT 

The structure of divide and conquer algorithms is 
represented by program schemes which provide a kind of 
normal-form for expressing these algorithms. A theorem relat- 
ing the correctness of a divide and conquer algorithm to the 
correctness of its subalgorithms is given. Several strategies 
for designing divide and conquer algorithms arise from this 
theorem and we use them to formally derive algorithms for 
sorting a list of numbers, evaluating a propositional formula, 
and forming the cartesian product of two sets. 



0. Introduction 

The advance of scientific knowledge often involves the grouping together of 
similar objects followed by the abstraction and representation of their common 
structural and functional features. Generic properties of the objects in the 
class are then studied by reasoning about this abstract characterization. The 
resulting theory may suggest strategies for designing objects in the class which 
have given characteristics. This paper reports on one such investigation into a 
class of related algorithms called "divide and conquer". We seek not only to 
gain a deeper and clearer understanding of the algorithms in this class, but to 
formulate this knowledge for the purposes of algorithm design. The essential 
structure of divide and conquer algorithms is expressed by a class of program 
schemes. We present a fundamental theorem relating the correctness of an 
instance of one of these schemes to the correctness of its parts. This theorem 

- L The work reported herein was supported by the Foundation Research Program 
of the Naval Postgraduate School with funds provided by the Chief of Naval 
Research. 
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provides a basis for designing divide and conquer algorithms in a formal way. 

The principle underlying divide and conquer algorithms can be simply 
stated: if the problem posed by a given input is sufficiently simple we solve it 
directly, otherwise we decompose it into independent subproblems, solve the sub- 
problems, then compose the resulting solutions. The process of decomposing the 
input problem and solving the subproblems gives rise to the term "divide and 
corquer" although "decompose, solve, and compose” would be more accurate. 

We chose to explore the synthesis of divide and conquer algorithms for 
se ve r al r ea so ns : 

Structural Simpl icity - Divide and conquer is perhaps the simplest program 
structuring technique v^iich does not appear as an explicit control structure in 
current programming languages. Our description of the structure of divide and 
corquer algorithms is based on a view of them as computational homomorphisms 
between algebras on their input and output domains. Careful choice of program- 
ming language constructs allows us to express divide and conquer algorithms con- 
cisely and in accord with their essential structure as homomorphisms. 

Computational Efficiency - Often algorithms of asymptotically optimal complexity 
arise from the application of the divide and conquer principle to a problem. 
Fast approximate algorithms for NP-hard problems frequently are based on the 
divide and conquer principle. 

Diversity of Applications - Divide and conquer algorithms are common in program- 
ming, especially when processing structured data objects such as arrays, lists, 
and trees. Many examples of divide and conquer algorithms may be found in texts 
on algorithm design (e.g. [1,11]). Bentley [3] presents numerous applications 
of the divide and conquer principle to problems involving sets of objects in 
multidimensional space. 

Che of our goals is help formalize the process of designing algorithms to 
meet given specifications. Our approach in this paper is based on instantiating 
program schemes to obtain concrete programs satisfying a given specification. 
Related work on programming by instantiating program schemes is reported in 
[4,5,7,8,15]. Aside from the fact that we are concerned here with only one 
class of algorithms, our approach differs fran these others mostly in focusing 
on formal techniques for deriving specifications for the in interpreted operators 
in a program scheme. 
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In Section 1 we seek to acquaint the reader with some examples of divide 
and conquer algorithms. Algebraic notation introduced in Section 2 is used to 
present schemes in Section 3 characterizing the class of divide and conquer 
algorithms. The rain result of this paper is a theorem showing how the correct- 
ness of a divide and conquer algorithm follows from its form and the correctness 
of its parts. In Section 4 we discuss the top-down design of divide and conquer 
algorithms and proceed with the derivation of a selection sort algorithm. In 
Section 5 we derive algorithms for a few more problems including the evaluation 
of Boolean expression and finding the cartesian product of two sets. 

1. Examples of Divide and Conquer Algorithms 

Applications of the divide and conquer principle are most naturally 
expressed by recursive programs. In Figure 1 we present a selection sort pro- 
gram expressed in an ad-hoc functional programming language (based on Backus' FP 
systems [2]) which we now summarize. 

We use three data types: B (Boolean values TRUE and FALSE) , IN (natural 
numbers 0,1,2,... ), and LIST(IN) (linear lists of natural numbers e.g., nil, 

(3), (5, 2, 2, 7) ). Any element of these types is called an object, and if 
x^,...)X n for n>_0 are data objects then the n-tuple <x-jy«»fX n > is also a data 
object. The selector functions 1, 2,... return the first, second,... elements 
of a tuple respectively. For example, 1:<3,4>= 3, 2:<3,4>=4. 

In a functional programming language programs are viewed as a hierarchy of 
functions. All functions map a data object to a data object. We use the nota- 
tion f:x to denote the result of applying the function (program) f to data 
object x. If a function requires n arguments for some n>l, then it is applied 
to an n-tuple of objects. Fbr the natural numbers we have the usual addition 
function, denoted +, and the comparison operators <,£, = ,^ In deference 

to convention we allow infix notation for the arithmetic functions and rela- 
tional operators, thus we equivalently write "3+5" and "+:<3,5>". Cn the data 
type LIST(IN) we use the following functions: Nil, which returns the empty list 
(denoted nil); List, which maps a natural number into the list containing it; 
First, v^iich returns the first element in a list; Rest, which returns its input 
list minus the first element; Cons, viiich adds a number to the front of a list 
(e.g. Cons: <2, (5,4) >= (2,5,4) ); snoC, (the inverse of Cons) which returns a 2- 
tuple containing the first element and the rest of the input list (e.g. 
snoC: (2, 5,4) = <2, (5,4) >); and Length, vdiich returns the length of a list. Cn 
all types we use Id as the identity function. 
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Ssort:x 0 * if 

x 0 = nil Xq 0 

x Q ^nil Cbns* (IdX Ssort) *Select:x 0 

fi 

Select :x = if 

Rest :x= nil snoC:x 0 

Rest:xXnil -> Compose* (Id X Select) *snoC:x 
fi 

Gompose:<v^,<V 2 f z» = if 

v l- v 2 <v 1 ,Cons:<v 2 ,z» 0 

v^_> v 2 <V2/Cons:<v^,z>> 

fi 

Figure 1: A Selection Sort Program 



Functions are combined to yield new functions via the following combining 
forms. f*g, called the composition of f and g, denotes the function resulting 
from applying f to the result of applying g to its argument. 

For example: Length*Rest: (1, 3, 5) = Length: (Rest: (1, 3, 5) ) 

= Length: (3,5) 

= 2 

f X g, called the product of f and g, is defined by 

fX g:<x,y> =<f :x,g:y>. 

For example: IdX Length:<3, (1, 3, 5,7) > = <3,4>. 

If <3]/***^ a re boolean functions or constants and f^, ...,f are functions or 
data objects then 

if q : -> f 1 Q ... D % f n fi 

is a nondeterministic conditional form. During evaluation each of the boolean 
functions, called guards , are evaluated. If any of the guards are undefined, or 
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if none of the quards evaluate to TRUE, then the value of the form is undefined. 
Otherwise one of the guards, say q-, i*hich evaluates to TRUE is nondeterministi- 
cally selected and the form evaluates to f^:x. For example, 

if £ — ^ 1 Q £ "4 2 fi 

is a simple if-fi form mapping IN X IN into IN and computing the minimum of two 
natural numbers. Ch application to <2,3> the guard "£" evaluates to TRUE thus 
the form evaluates to 1:<2,3>= 2. Note that on application to <3,3> both guards 
evaluate to TRUE thus either branch of the conditional can be taken. Although 

either branch can be taken the result is the same for this function. 

We name functions by means of definitions. Fbr example we can name the 
above if-fi form Min by means of the following definition 

Min = if £ 4 1 0 _> 4 2 fi. 

Fbr readability in definitions we allow the naming of arguments, replace selec- 

tor function applications by the name of their result, and pretty print, so Min 
can be defined by 

Min:<x,y> = if 

x£y -4 x Q 
x >_y -4 y 
fi. 

The selection sort algorithm in Figure 1 works as follovs. If the input is 
nil then nil is output. If the input is non-nil then a smallest element is 
split off and then prepended onto the result of recursively sorting the 
remainder of the input. The function Select evaluates as follows on the list 
(2, 5,1,4) 



Select: (2, 5,1, 4) = Compose* (IdX Select) -snoC: (2, 5, 1,4) 

= Compose* (IdX Select) :<2, (5,1,4)> 

= Compose: <2, <1, (5,4)>> 

= <l,Cons:<2, (5,4) » 

= <1, (2, 5,4) > 

vhere Select: (5,1,4) evaluates to <1,(5,4)> in a similar manner. Ssort vhen 
applied to (2, 5,1,4) evaluates as follovs 
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Ssort: (2,5, 1,4) = Cons* (IdX Ssort) ‘Select: (2, 5,1, 4) 
= Cons* ( Id X Ssort) :<1, (2,5,4)> 

= Cons: <1, (2,4,5) > 

= (1, 2,4,5) 



where Ssort: (2, 5,4) evaluates to (2,4,5) in a similar manner. 

Ssort and Select exemplify the structure of divide and conquer algorithms. 
In Ssort when the input is nil then the problem is solved directly, otherwise 
the input problem is decomposed via Select, the subproblems solved via the pro- 
duct Id X Ssort, and the results composed by Cons. In Select when the input has 
length one then the problem is solved directly, otherwise the input is decom- 
posed via snoC into a tuple of subinputs, the subinputs processed in parallel by 
IdX Select, and the results composed by Compose. We call Select in Ssort and 
snoC in Select the decomposition operators. Cons in Ssort and Compose in Select 
are called composition operators. The identity function. Id, in both Ssort and 
Select is called an auxiliary operator. 

Why introduce new language features here? We feel that the importance of 
divide and conquer algorithms is justification enough to require that a program- 
ming language allow their concise expression. We have introduced those linguis- 
tic features which allow divide and conquer programs to clearly reflect their 
essential structure. For example, the construction of decomposition operators 
is facilitated by allowing functions to return a tuple of objects. The product 
form allows us to directly express parallel processing of independent subprob- 
lans. In conditionals we are not forced to determine the order in which the 
guards are to be evaluated - they are conceptually evaluated in parallel. In 
addition, the language simplifies reasoning about and designing divide and con- 
quer algorithms. 

2. Algebraic Concepts 
2. 1 Program Termination 

In designing divide and conquer algorithms we shall be concerned with 
ensuring that they terminate on all legal inputs. The usual method for showing 
the termination of a recursive program depends on the existence of a well- 
founded ordering on the input domain. 

A structure <W, ^»> vhere W is a set and is a binary relation on W is a 
well-founded set and ^ is a well-founded ordering on W if: 
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1) is irreflexive: ujj.u for all u€w 

2) is assymetric: if u^»v then vj^u for all u,v€w 

3) ^ is transitive: if u^.v and v^w then u^.w for all u,v,w€w 

4) there is no infinite descending sequence Ug^ in W. 

For example, IN (natural numbers) with the usual greater tha relation > forms 
the well-founded set <IN,». 

A recursive program P with input domain D can be shown to terminate on all 
inputs in the following way. First, a well-founded ordering y is constructed 
on D. Then, we show that for any x€D P applied to x only generates recursive 
applications (calls) to inputs x' for diich x^»x'. There can be no infinite 
sequence Xg,x^,X 2 ... such that applying P to xj results in the application of 
P to Xj + 1 for i>_0 since the well-founded ordering does not allow xg^x^ 
^ x 2 ^ ... • 

Proposition 1. Let E be a set, let <W,^» W > be a well-founded set, and let 
h:E -> W be a function from E into W. The relation >» E defined by: 

u>» E u' iff h(u) ^^(u’ ) 

is a well-founded order irg on E. 

Proof: 1) ^» E is irreflexive - for any u, :u, but then by definition 

uJ-e u - 

2) ^ E is assymetric - if u$» E u' then h(u) h(u') and h(u’) h(u) 

(by assymetry of ^» w ) thus u' Jj-V/U* 

3) ^ E is transitive - if u^ E u' and u'^ E u" then h(u)^^h(u') and 

h(u' ) J-^h(u") . h(u) ^.^(u") follows by transitivity of then u^. E u" follows 

by definition of ^» E . 

4) <E,^» E > has no infinite decreasing sequence - if u Q >» E u^>» E u 2 >»£ 

... then h ( u g ) h(u^) ^» w h(u 2 ) ... contradicting the well- founded ness of 

<W,}- W >. QED 



Proposition 1 enables us to establish a well-founded ordering on LIST(IN) 
(list of natural numbers) by simply finding a function from LIST(IN) to IN . A 
suitable primitive function is Length, so we may define 

x$»y iff Length:x > Length:y 
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for all x,y€ LIST (IN ) . By Proposition 1 we conclude that <LIST(IN),^> is a 
well-founded set. 

2.2 Many -Sorted Algebras 

Algebraic concepts are playing an increasingly important role in formulat- 
ing the fundamental notions of computer science. In this paper we show that 
divide ard conquer algorithms can be usefully characterized algebra icly as 
homomorphisms between appropriately defined algebras on the input and output 
domains. In this section we present the basic terminology of many-sorted alge- 
bras based on and extending the notation of ADJ [9,10]. 

For any n€ ]N let ri= {l,2,...,n}. As usual the cartesian product of sets 
Aj_, A 2 ,..., is written A 1 XA 2 X ••• X Ah and denotes {<a 1 ,a 2 ,...,a n > I a^CA^ 
for i€n}. Parentheses are used for nesting so 

A^ X (A 2 X A 3 ) = {<a^ , <Ca 2 ,a 3 >> I a^€A^, a 2 6A 2 , a^6 A^} 

the set of 2-tuples Vvhose first component belongs to A^, and whose second com- 
ponent belongs to A 2 XA 3 . 

Generally, we use the term many-sorted algebra to denote a collection of 
sets equipped with operators defined on cartesian products of the sets. Let S 
denote a nonempty set of symbols called sorts and s€ S be a distinguished sort 
called the principal sort. A finite s- oriented S- sorted signature 2 is a finite 
set of operator symbols {crl, ... ,crr}, r^l, where for l£i£r, <ri has type <wi ,s> 
where wi€S* and wi = wi^. . .wi n _ , n^O. Let <A s > s g s be an S-indexed family of 

sets. If w€S* and w=w 3 w 2 ...w n then A w denotes the cartesian product 

A w XA, X...XA, . Letting X denote the empty string, A^* denotes the set 
"1 H 2 *n 

consisting of the 0-tuple, {<>}. A ^ -algebra A consists of a family of sets 
<A s > s gs carriers of A, and a set of operators denoted <ri A i=l,...,r, 

where <3‘i A :A wl -> A^. A^ will be called the principal carrier of A. A 2 ~ 

algebra A will be written A = <{Cp . . . ,C k J , {f 1, . . . ,fr }> where are the 

carriers of A and fl,...,fr are its operators. A ^-algebra will be called a 
composition algebra . 

We shall be interested in composition algebras which 1) allow each element 

of the principal carrier to be expressed as a composition of other elements, and 

2) compose smaller elements into larger elements. For example, on the domain 
LIST(]N) consider the operators 

Nil: -> LIST (IN ) (e.g., Nil:<> = nil) 
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Li st: IN -» LIST (IN ) 



(e.g. , List:3 = (3) ) 



Cbns : IN X LIST (IN ) ->LIST(IN) (e.g., Cbns:<3, (1, 4) > = (3,1,4) ). 

Every list of natural numbers can be expressed as either a composition by Cons 
(Cbns:<i,y> for same i€lN and y€LIST(IN)) or by Nil, thus 

<{LIST (IN ) , IN } , {Cons,Nil}> 

is a composition algebra for LIST(IN). Fbr the domain LIST(IN ) -nil , the opera- 
tors Cons and List allow expression of each non-nil list as a composition by 
Cons (Gons:<i,y> for some i€lN and y€ LIST (IN ) -nil) or by List (List:i for some 
i 6 IN ) , thus 

<{LIST(IN ) -nil, IN } , {Cons,List}> 

is a composition algebra for LIST (IN ) -nil . 

Let A and B be 5-algebras and let H=<h s > s £ S be an S-indexed family of 

finctions where for each s€S, h s :A g -» B s . If w = w^w 9 ...w n let h w denote the 

product function Xh w X •••X hy . Thus if a€A w then 
W 1 2 n 

h W :a = <h w ^ :a 1 , ..., h w ^:a n >. 

h^* denotes the unique function mapping A^* to B^*, also written ld <> . 
H=<h s > s ^g is a (55-) homomorphism from A to B if for each operator symbol <ri 
and a€A wl 



i- • • wi 

h^*cri A :a = crg*n :a. 



i.e. the diagram in Figure 2 commutes. 



a A 



A 



§ 



A 




a B 



A w 



h w 



» B w 



Figure 2: Commutative Diagram of a 5> -homomo rph i sm . 
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A 2 ~ •'■-algebra A is a family of sets <^> 3^5 and operators <ri A : A W1 

for each 1 < i < r. A £ - ■'•-algebra will be called a decomposition algebra . We 
shall be interested in decomposition algebras which 1 ) allow each element of the 
principal carrier to be decomposed into other elements, and 2 ) decompose larger 
elements into smaller elements. Ebr example, on the domain LIST(]N) we can 
define operators vhich are the inverses of the composition operators considered 
above. 

liN: LIST(1N ) -> (e.g. liNrnil = O ) 

tsiL:LIST(3N) -»]N (e.g. tsiL: (3) = 3 ) 

snoC: LIST (IN) -> ]N X LIST (IN) (e.g. snoC:(3,l,4) = <3, (1,4) > ) 

Every list of natural numbers can be decomposed either by snoC or liN, thus 

<{LIST(IN) ,11}, {snoC,liN}> 

is a decomposition algebra for LIST(]N). Ebr the domain LIST(IN )-nil, the 
operators snoC and tsiL allow the decomposition of each non-nil list into non- 
nil lists and natural numbers, thus 

<{ LIST (IN) -nil, IN}, {snoC,tsiL}> 

is a decomposition algebra for LIST (IN). 

Let A be a 2 ~ "'-algebra , B a ^-algebra, and let H=<h s > s g s be an S-indexed 
family of functions such that for each s€ S h s :A s ~>B s . H is a (2 - ^)~ 
homomorphism from A to B if for each x€A^ such that <r A :x is defined 

h § :x = cr B* hW * cr A :x (2.1) 

i.e., the diagram in Figure 3 commutes. For example, let S= {c,§} and let 




Figure 3: Commutative Diagram of a ^-homomorphism. 
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2 = fcrl,<r2} be a S-sorted signature vhere (Tl has type <\,£> and cr2 has type 
<c§,3>. Consider LS and LC which are and ^-algebras respectively where: 

LS= < {IN, LIST (IN)}, {liN,Select}> 

LC = <{ IN , LIST (IN ) } , {Nil, Cons} >. 

LS has carriers LS C = IN and LS^ = LIST(IN) and operators 
Select: LIST (IN) IN X LIST (IN) and 

liN:LIST(IN) {<>}. 

Select splits a list of natural numbers into its least element and the rest of 

the list as discussed earlier. LC has carriers LC = IN and LC =LIST(IN) and 

c § 

operators 

Cons: IN X LIST (IN) -» LIST (IN) and 
Nil: {O} LIST (IN). 

Letting h be the function Sort, which sorts a list of numbers, and h„ the iden- 
§ c 

tity function Id, we have a natural homomorphism from LS to LC. First, Sort and 
Id have the required domains and codomains: 

Id: IN IN (h c :LS c -» LC c ) 

Sort:LIST(lN) -» LIST(IN) (h :LS LC ) 

§ § § 

and the homomorphism condition (2.1) is satisfied: for any x€LIST(IN) such that 
liN:x is defined (i.e. x=nil) 

Sort:x = Nil *Id <:> *liN:x (h^:x =a ^LC*^^ ‘^LS :x ) 

and for any x€ LIST (IN) such that Select :x is defined (i.e. x^nil) 

Sort:x = Cons* (IdX Sort) *Select:x. (h^:x =a2 LC *h c ^*<r2 LS :x) 

This homomorphism, of course, is the essence of a selection sort algorithm. 
When the input x is nil we can sort directly, otherwise we decompose x into a 
number i and a list y, sort y, then Cons i onto the result. 
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3. Divide and Conquer Algorithms : Form and Function 

In this section we present notation expressing the form (via program 
schemes) and function (via specifications) of divide and conquer algorithms. We 
also present a fundamental theorem showing how the functionality of a divide and 
conquer program follows from its form and the functionalities of its parts. 
First we consider the expression of functionality. 

3.1 Specifications 

Specifications are a precise notation for describing the problem (or func- 
tion) we desire to solve without necessarily indicating how to solve (or com- 
pute) it. For example, the problem of decomposing a list of natural numbers 
into its smallest element and the remainder of the list may be specified as fol- 
lows. 



Select :x = <i ,z> such that xX nil =?> i£Bag:z A Bag:x= Add:<i ,Bag:z> 
where Select: LIST (IN) -» IN X LIST (IN). 

The problem is named Select vhich is a function from lists of natural numbers to 
2-tuples consisting of a natural number and a list. Naming the input x and the 
output <i,z>, the formula "xXnil", called the input condition, expresses any 
restrictions on the inputs we can expect to the problem. The formula "i£Bag:z 
A Bag:x = Add:<i,Bag:z>", called the output condition, expresses the conditions 
under which <i,z> is an acceptable output with respect to input x. The function 
Bag maps a list into the bag (multiset) of elements contained in it (e.g. 
Bag: (1,5, 2,2) = {1,5, 2,2} = Bag: (1,2, 5, 2) ). i<_Bag:z asserts that each element 

in the list z is no less than i. The function Add:<i,b> returns the bag con- 
taining i in addition to all elements of bag b. Bag:x= Add:<i ,Bag:z>, asserts 
that the multiset (bag) of elements in the input list x is the same as the mul- 
tiset of elements in z with i added. 

Generally, a specification TT has the form 

TT :x= z such that I:x => 0:<x,z> 
where IT : D -» R. 

We ambiguously use the symbol TT to denote both the problem, its specification, 
and a solution to the problem. Here the input and output domains are D arri R 
respectively. The input condition I expresses any properties we can expect of 
inputs to the desired program. Inputs satisfying the input condition will be 
called legal inputs. If an input does not satisfy the input condition then we 
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don’t care vhat output, if any, the program produces. The output condition 0 
expresses the properties that an output object should satisfy. Any output 
object z such that 0:<x,z> holds will be called a feasible output with respect 
to input x. More formally, a specification TT is a 4-tuple <D,R,I,0> where 
D is a set called the input domain, 

R is a set called the output domain, 

I is a relation on D called the input condition, and 

0 is a relation on DXR called the output condition. 

Program F satisfies specification TT =<D,R,I,0> if 

Vx€D[I:x => 0: <x,F:x>] 

is valid in a suitable first-order theory, i.e., if on each legal input F com- 
putes a feasible output. 

Let s be a set of sorts with principal sort s. TT = <E,T,J,P> denotes an 
S-sorted family of problems where E and T are S-sorted families of sets, for 
each s€S J s is a relation on E s and P s is a relation on E S XT S . For each s€S 
let TT S , called a component problem , denote the problem specification 
<E S' T S' J S' P S>- TT „ will be called the principal problem and for each s€ S-s TT S 

will be called an auxiliary problem . 

3.2 The Form of Divide and Conquer Algorithms 

Let S be a sort set with principal sort s and let 2 be a finite s-oriented 
S-sorted signature where £ = {0*1 , .. . ,ffr}, r^>l, and for l£i£r,<7i has type 
<wi ,s> where wi € S* and wi = wi . .wi n> , n^ >_ 0. A £ -divide and conquer algorithm 

has the form 

f^:x = if 
s 

q^:x -» 0'l T *f wl *(3'l E :xQ 

• • • 

q r :x -» 0‘r T *f wr *cr E :x 
fi. 



where 

1. E is a 2 ~ 1 -algebra 

2. T is a 2~algebra 

3. ^ =< f s > s€S an S-indexed family of functions '/here f s :E s -»T s 
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4. q.- for i€r, is a predicate on E^. 

1 ~ s 

The operators in E and T are called the decomposition and composition operators 
respectively . Each f g for s€ S-s is called an auxiliary function and f ^ is 

called the principal function. In these terms the program's behavior can be 
described as follows: Given input x, a guard which evaluates to TRUE is 
selected nondeterministically. Input x is decomposed by the decomposition 
operator olg into a tuple of subinputs. This tuple is then processed in paral- 
lel by the function product f wl and the results composed by the composition 
operator ai T . In order for the algorithm to terminate not all the branches of 
the conditional can contain recursive calls. The nonrecursive branches treat 
with those inputs which can be solved directly. 

If we view the guards q- for i€£ as characterizing the set of inputs on 
which the corresponding decomposition operator cig is defined, then the divide 
and conquer algorithm clearly expresses F as a homomorphism from the decomposi- 
tion algebra E to the composition algebra T. 

3.3 Correctness of a Divide and Conquer Algorithm 

The rain theoretical result of our paper is the following theorem which 
shows how the correctness of the whole divide ard conquer algorithm follows from 
the correctness of its parts. Conditions (1) , (2) , and (3) of Theorem 1 simply 
provide the form of a specification for the parts of a 5-divide and conquer 
algorithm. The most interesting condition is the "separability" condition (4) . 
It is the principal link between the functionality of the algebras E and T, the 
auxiliary problems 1T S / and the given principal problem. In words it states 
that if input Xg decomposes into subinputs Xp...,x , and Zp . .., z n are feasi- 
ble outputs with respect to these subinputs respectively, and zp . . . ,z n compose 
to form Zg then z Q is a feasible solution to input Xg. Loosely put: feasible 

outputs compose to form feasible outputs. Condition (5) asserts that for each 
legal input at least one of the guards holds. 



Theorem 1_: Let S be a set of sorts with principal sort s and let > be a finite 
s -oriented S-sorted signature. Let E be a > ^-algebra, T be a >-algebra, || a 
S-sorted family of specifications, F a S-sorted family of functions where for 
each s€ S f s :E s ~>T s . Let ^ be a well-founded ordering on E^ and for each iSjr 

let Oig and 0i T be relations on E^ and T^ respectively. If 
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(1) (Specification of <r E ) the decomposition operator <ri E , for i= 1, ...,r, 
satisfies the specification 

<ri E :XQ = <Xp .. . ,x n> > such that q^:XQ A J„:Xq 

A (J wi .:Xj A (wi j = s => x 0 ^Xj)) A Oi E :<x 0 ,x 1 ,...,x n> > 

3 ® D.i 3 ^ 



where c P : E -> E' 
E s 



,wi 



(2) (Specification of <r T ) the composition operator al T , for i=l,...,r, 
satisfies the specification 

^ lip! ^2^/ • • • ^ ^ — Z q Such tha t Ol^,:<ZQ f Z^ f ... ^ 

where <x r : , l w * -» T 
1 s 

(3) (Solutions to Auxiliary Problems) for each s€ S-s f s satisfies specifi- 
cation 

TT s :x=z such that J g :x =3> P s :<x,z> 
where TT S :E S ~> T s . 

(4) (Separability of P) the following formula is valid for each iCjr: 

V <x 0 /X^ / • • • # x^ _ > € <Zqi z-^ i • • • * T* 

[Oi E :<x 0/ x 1 ,...,x n .> A ^ ?wi j : < x j'Zj> A Oi T :<z 0f z 1 ,...,z ni > => 

• <X Q r Zq>] 



(5) (Definition of the giards) For all x6 E J :x 

s s 



:¥r q i :x 



then the divide and conquer program 



f^:x = if 
s 

q-^x -» <Tl T *f wl *(Tl E :x Q 

• • • 

q r :x -> CTr T *f wr *(Tr E :x 
fi 

A 

satisfies specification TT _ = <E^,T^,J /s ,P_ s >. 

s s s s § 

Proof: lb show that f_ satisfies TT . = <E ,T ,J ,P > we will prove 

s s s s s s 
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by structural induct ion z on E^. 

s 

Let x be an arbitrary object in E such that J^:x holds and assume (indue— 

s s 

tively) that J :y =» P:<y,f :y> holds for any yfiE^ such that x^y. From J„:x 
s s s s 

and condition (5) it follows that q-:x holds for some i€jr. By the semantics of 
the if-fi construct f^:x can evaluate to ci<p*f wl •cig.rx. We will show that 

P :<x,f :x> by using the inductive assumption and modus ponens on the separabil- 
s s 

ity condition. Since q-^x A J^:x holds and <ri E satisfies its specification in 
condition (1), the output condition of <r E also holds. Let ffi E :x= <Xp . . . ,x n ^>. 
We have for each jCn. J • :x^. Consider x^ for each j€n;. If wi^^s then by 

J -1 Wlj ] j — i j 

condition (3) 



J wij :x j 



P wi j :<x j' f wi j :x j > 



and we infer by modus ponens P • :<x^,f .• :x^>. If on the other hand wi^=s 

W 1 j J wi j J J 

then by condition (1) we have Xg^Xj and thus by our inductive assumption 

J wij :x j ^ P wij :<x j , ^wij :x j > * 

Again we infer P • :<x^,f M1 - :x n -> by modus ponens. By condition (2) we have 

Wl j J Wl j J 

0i T : <ri T : <f w ^ . :x-, f • /f w1 * :x n > f f w - , • • • /f wl * > 



wi n n ' wij’ 



wi r 



where 

cri T : <f wi i :x x , . . . ,f win : x n > = f g :x. 

We have now established the antecedent of condition (4) enabling us to infer 

P„:<x, f :x>. QED 
s s 



Notice that in Theorem 1 the form of the subalgorithms <ri c , cri™,, and f_ for 

i 1 s 

s6S-s is not relevant. All that matters is that they satisfy their respective 
specifications. In other words, their function and not their form matters with 
respect to the correctness of the whole divide and conquer algorithm. 



2 

Structural induction on a well-founded set <W,^> is a form of mathematical 
induction described by 

VxfiW VyfiW[x^y A Q: y =?> Q:x] =» Vx€W Q:x 

i.e., if Q:x can be shown to follow from the assumption that Q:y holds for each 
y such that x^y, then we can conclude that Q:x holds for all x. 
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4. The Design of Divide and Conquer Algorithms 

4.1 A Problem Reduction Approach to Design 

Design is a goal-directed activity and this is the primary reason for the 
importance of top-down design methods. One form of top-down design, which we 
call problem reduction, may be described by a two phase process - the top-down 
decomposition of problem specifications and the bottom-up composition of pro- 
grams. In practice these phases are interleaved but it helps to understand them 
separately. Initially we are given a specification TT . In the first phase we 
create an overall program structure for TT > which fixes certain gross features 
of the desired program. Some parts of the structure are at first underdeter- 
mined but their functional specifications are worked out so that they can be 
treated as relatively independent subproblens to be solved at a later stage. 
Next we work in turn on each of the subproblem specifications, and so on. This 
process of creating program structure and decomposing problem specifications 
terminates in primitive problem specifications which can be solved directly, 
■without reduction to subproblems. The result is a tree of specifications with 
the initial specification at the root and primitive problem specifications at 
the leaves. The children of a node represent the subproblem specifications 
written (or derived) as we create program structure. 

The second phase involves the bottom-up composition of programs. Initially 
each primitive problem specification is solved to obtain a program ('which is 
often a programming language operator) . Subsequently whenever each of the sub- 
problem specifications generated when working on specification TT have solu- 
tions, these subproblem solutions are assembled into a program for TT . 

We advocate [13,14] a formal counterpart to the problem reduction approach 
based on the use of program schemes. A scheme provides a standard overall 
structure for the desired program and its uninterpreted operator symbols stand 
for the underdetermined parts of the structure. To use a scheme we require a 
corresponding design strategy . Given a problem specification TT a design stra- 
tegy derives specifications for subproblems in such a way that solutions for the 
siioproblems can be assembled (via the scheme) into a solution for TT . A design 
strategy then is a way of generating an instance of a scheme which satisfies a 
given specification. Any program scheme admits a number of design strategies. 
Dershov/itz and Manna [4] have presented some strategies for designing program 
sequences, if-then-else statements, and loops. 
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We have found three design strategies for divide and conquer algorithms. 
Each attempts to derive specifications for subalgorithms which satisfy the con- 
ditions of Theorem 1. If sucessful then any operators which satisfy these 
derived specifications can be assembled into a divide and conquer algorithm 
satisfying the given specification. The key difficulty is to ensure that the 
derived specifications satisfy the separability condition, so each design stra- 
tegy concentrates on this goal. 

The first design strategy, called DS1, can be described as follows. 

ESI) First choose a simple decomposition algebra as E and 
choose simple known functions for the auxiliary functions, 
then use the separability condition to reason backwards 
towards output conditions and to reason forwards towards input 
conditions for the operators in T. 

lb see how we reason towards specifications for the operators in T, suppose that 
we have selected a £ ~ ^-algebra E and chosen simple known functions f s for 
s€S-s and let the given problem be IT = <D,R,I,0>. We show how to derive output 
conditions for <ri T for some i€ £. First use 

d"ig JXg = ♦ ,Xn^ ^ 3s Oig ; <Zq , z^ , • • . , , 

f wi _.:Xj = Zj as p w i j :< x j ,Zj> for 1< j<n i wij/s, and 

0:<x,z> as P^:<x,z>, 
s 

and create the following formula 

V<x 0 ,x 1 ,...,x n >€E swl V<z 0 ,z 1 ,...,z n >€T swl 

[Oi E :<x 0 ,x 1 ,...,x n> > .A P wi .:<Xj=Zj> =» P^:<x 0 ,z 0 >] . (4.1) 

i 1 * JZ. J 2 

This formula differs fran the separability condition only in that the hypothesis 
Oi T :<ZQ,z 1 , .. . ,z n > is missing. We desire to establish the separability condi- 
tion so that we can apply Theorem 1 to show that the program we construct satis- 
fies its specification. We know that 0i T it is a relation on the variables 
z 0, z l' , z n . • 0ur technique is to reason backwards from the consequent always 

trying to reduce it to relations expressed in terms of the variables 
Zq,z^, .. . , z n- . If we can show that the assumption of an additional hypothesis 

of the form 

Q * <Z 0 / 2^ , « ♦ • , z ^ _ > 



- 18 - 



allows us to prove (4.1), i.e., if we can show that 



V<x 0 ,x 1 ,...,x n >6E swl V<z 0 ,z 1 , ...,z n >6T swl 
[Oi E :<Xo»x lf ... f x ni > A P wi j :< x j = z j> A Q:<z 0 ,z 1 , 




> =» P^:<x 0 ,Zg>] 



then we take Q as the output condition Oi^, since the separability condition is 
satisfied by this choice of Oi^,. Formal systems for performing this kind of 
deduction are presented in [12,13] . We shall proceed a little less formally 
here, making use of our intuition for guidance. 



We can also use (4.1) to obtain input conditions for our composition opera- 
tors. The input condition for CTi T is some relation on Zp...,z n which can be 

expected to hold when ai^, is invoked. Suppose that by reasoning forwards from 
the relations established by the decomposition operator and the component func- 
tions we infer a relation Q' :<z^,... ,z n .>, i«e., that 



V<x 0 ,x 1 ,...,x n >6 E swl V<z 0 ,z 1 ,...,z n >€T swl 
t Oi p : <X q ,x^ , » . • f ^n^ > 'A P wi • ’ j 7 ^ j ^ ^ Q «4z^, . . • ,z^ Al . 



Then we take Q' as an input condition to cri T . 

The other two design strategies are variations on D61 and use the separa- 
bility condition in an analogous manner. 



DS2) First choose a simple composition algebra as T, 
second, choose simple known functions for the auxiliary func- 
tions, then use the separability condition to solve for the 
input and output conditions for the operators in E. An input 
condition for the decomposition operator is found by determin- 
ing conditions under v*hich a feasible output exists. 



EG 3) First choose a simple decomposition 2 ~ * -algebra as E and 
dioose a simple composition 2 -algebra as T, then use the 
separability condition to reason backwards towards output con- 
ditions and to reason forwards towards input conditions for 
the auxiliary functions. 

In each of these design strategies we must find a suitable well-founded ordering 
on the input domain in order to ensure program termination. Also, the guards 
are chosen to reflect the domain of definition of the decomposition operators. 
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4.2 Design of a Selection Sort Algorithm 

Suppose we are given the following specification for sorting a list of 
natural numbers 



SORT:x=z such that Bag:x=Bag:z A Ordered:z 
where Sort:LIST(IN) -» LIST (IN). 

Here "Bag : x = Bag : z" asserts that the multiset (bag) of elements in the list z is 
the same as the multiset of elements in x. Ordered is a predicate vhich holds 
when applied to a list whose elements are in nondecreasing order. 

The selection sort algorithm presented in Figure 4 will be derived using 
design strategy DS2. Note that Ssort makes use of the composition algebra 
A = < {LIST (IN ),]N},{Nil ,Cons} > discussed in Section 2.2. In choosing A as the 
composition algebra it is not obvious ahead of time that a decomposition algebra 
can be found which works with A to solve the SORT problem. This choice of alge- 
bra should be regarded as a tentative hypothesis about how sorted lists can be 

composed. The sort set of A is S= {c,§} where A = LIST (IN) and A = IN . The 

s c 

operator Nil has type <X,s> and operator Cons has type <cs,s>, Nil:A^*-»A^, 

s 

and ConstA 03 -» A . 

s 

Naming our desired program Ssort we have at this point, 

E = LIST (IN ) , T = LIST (IN), T = IN 
s s c 

A <■* true, 

s 

P :<x,z> <£=» Bag:x=3ag:z A Ordered:z, 
s 

01 T :«>,z> <*=> z= nil, 

02 T :<z 0 ,b,z 1 > •*=» Oons:<b,z 1 > = Zq, 

f is Ssort. 
s 

It remains to determine input and output conditions J c and P c for the auxiliary 
function f c , the domain E c , and the output conditions 0l E and 02 £ for the decom- 
position operators. 

Oar first step towards determining 02 £ is to instantiate the separability 
condition as far as possible thus obtaining 

V<x 0 ,<a,x 1 »«LIST(IN) X (E C X LIST(3N ) ) V<z 0 ,<b,z 1 »6 LISTEN ) X (IN X LIST (IN ) ) 



- 20 - 



Ssorttx — if 

x = nil -» Nil-Id^'liNtx Q 
x^ nil -> Cons* (idX Ssort) *Select:x 
fi 

Select:x — if 

Rest:x=nil -» Compose 1* Id *snoC:x Q 
Rest:xXnil -> C0mpose2* (Id X Select) *SnoC:x 
fi 



Gomposelrv = <v,nil> 

Compose2:<v^,<V2,z>> = if 

<V2,Cons:<V2,z» 0 
v l — v 2 <v 2 ,Cons:<V2,z» 
fi 

Figure 4: A Selection Sort Program 



[02 E :<Xg,<a ,x^» A P c :<a,b> A Bagtx^ = Bagiz^ A Orderedrz-^ A Cbns:<b,Zi> = z Q 
= 5 > Bag:Xg = 3ag:z 0 A OrderediZg] (4.2) 

lb construct this formula have made the following substitutions into the 
separability condition of Theorem I: 

1. replace w2 by cs 

2. replace E and T by LIST (IN) 

s s 

3. replace E^ by E C X LISTON ) and T 0 ^ by IN X LIST (IN) 

4. replace P^:<x,z> by Bag:x=Bag:z A Ordered :z 

s 

5. replace ap:<b,Zi> by Cbns:<b,z^> 

Since we desire to have the separability condition hold in order to apply 
Theorem 1 we evidently must try to find values for E C ,P C , and 02 E which allow us 
to prove (4.2). 
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In order to determine 02 E we attempt to reduce (4.2) to a formula dependent 
on the variables Xq, a, and x^ only. The consequent is the conjunction of two 
atomic formulas so we can tackle them separately. Consider first 



Bag:XQ = Bag:zQ. (4.3) 

This is equivalent to 

Bag:x 0 = Bag: Cons :<b,Zj> 

since Cons:<b,z^> = Z q is a hypothesis. The fact 

Bag*Cbns:<u,y> = Add: <b,Bag:y> 
allows us to reduce the goal to 

Bag:x 0 = Add: <b,Bag:z^>. 

Then since 

Bag^ = Bag:zj 

is a hypothesis we further reduce to 

Bag:x 0 = Add:<b,Bag:Xj>. 

This last relation is almost expressed in terms of variables required by 02g. 
Let us assume a = b and thus let E = IN , J c :x <*=*>■ TRUE, P c :<a,b> ^=> a = b, and 
let f c be Id. This finally reduces (4.3) to 

Bag:xg = Add: <a ,Bag:x-^>. (4.4) 

In other words, if we had (4.4) and a = b as additional hypotheses then we could 
establish our original goal (4.3). We will use (4.4) in the output condition 
02 e . 

Consider now the second goal 



Ordered:z Q 

which via the hypotheses Gons:<b,z^> = Zg and a = b reduces to 

Ordered*Cbns:<a ,z^>. 



The fact 



u£Bag:y A Ordered:y 4=S> Ordered*Cons:<u,y> 



(4.5) 



can be used to produce the equivalent goal 

a<_Bag:z2 A Ordered^. 

Now Ordered^ is a hypothesis and thus is assumed to hold. The remaining 

subgoal can be transformed via the hypothesis Bag:x-]_ = Bag^ to 

a£ Bag:x^. 

We have reduced (4.5) to a subgoal whidi is expressed in terms of the variables 
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required by 02^. By reasoning backwards we have shown above that if 

a^Bagix-^ A Bag:XQ = Add: <a ,Bag:x-^> (4.6) 

holds then we can establish (4.2). We take (4.6) as 02g. 

Before constructing the specification for <72 E we construct a well-founded 

ordering on E^=LIST(IN). By Proposition 1 we can construct one based on a map- 
s 

ping from LISTON ) to IN. The known function Length maps LIST (IN) to IN so 
define 

Xq y x-^ iff Length:Xg > Lengthy. 

By Proposition 1 <E , V> is a well-founded set. 

s 

Using (4.6) as 02 E and this well-founded ordering on LIST(]N) we create the 
following specification for <t2 e in accord with condition (1) of Theorem 1. 

<r2 E :Xg = <a ,x^> such that a£Bag:x^ A 3ag:Xg = Add: <a ,Bag:Xg> A 

Length :x 0 >Length:Xi 
where a E :LIST(M) -> IN X LIST (IN) 

By inspection we see that there is no feasible output when the input is nil so 
we add the input condition "x/ nil" obtaining 

<j2 e :Xq = <a ,x^> such that Xg^nil => 3ag:x Q = Add: <a ,Bag :x Q > A 
a£Bag:x 2 A Length ^g^ength.-x^ 
where o , E :LIST(IN) -> IN X LIST (IN). 

In [13] we show how to derive the input condition for decomposition operators by 
formal means. In the next section we derive a divide and conquer algorithm, 
called Select, for this problem. 

From the input condition of Select we obtain the guard x/ nil. The 
intended algorithm at this point has the form: 

Ssort:x — if 

q^:x -» Nil*f^*<rl E :x Q 
x? nil -> Gons* (Id X Ssort) ‘Selects 
fi. 

The construction of a specification for ol E is similar. First, we instan- 
tiate the separability condition obtaining 

Vx 0 €LIST(IN) Vz 0 €LIST(IN) 
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(4.7) 



[01 e :Xq A Nil:0 = Zg =» Bag:x 0 = BagtZg A Ordered:Zg] 

In creating this formula we have replaced 
wl by X 

E and T by LIST(]N) 
s s 

by Bag:Xg = Bag:Zg A Ordered :Z q] 
al T by Nil 

and performed some simplifications. 

Again we treat the two conjuncts of the gsal separately. Since z Q is nil 
then the goal Ordered :Z q holds. The other goal 

Bag:z Q = Bag:x Q 

is equivalent to 

Xg = nil 

since Zg = nil. We use "Xg = nil" as the output condition of Olg and create the 
specification 



ol E :Xg=z such that x Q = nil 
where <yl ir :LIST(]N ) {<>}. 

i-i 



The function liN satisfies this specification. 

Putting together all of the operators derived above, we obtain the follow- 
ing selection sort program: 



Ssort:x 



if 

x= nil -> Nil’Id^'liNix Q 
x/ nil -> Cbns* (Id X Ssort) ‘Select :x 
fi 



\\hich can be simplified to 



Ssortrx 



if 

x = nil — > x 0 

x^nil -> Cons* (Id X Ssort) ‘Select :x 
fi 



4.3 Synthesis of Select 

In the previous section we derived the specification 
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Select:Xg = <a ,x^> such that Xg/nil =» Bag:x Q = Add:<a ,Bag:x 1 > A 
a£Bag:x^ A Length:Xg > Lengthix^. 
where Select: LISTON) -» 3NXLIST(3N) 

The synthesis of Select proceeds according to the design strategy ES2. First, 
we choose a simple decomposition algebra for the input domain - the set of non- 
nil lists of natural numbers. The algebra A= <{IN , LIST (IN ) } , {tsiL, snoC} > is 
satisfactory since all non-nil lists can be decomposed into non-nil lists and 
natural numbers by tsiL and snoC. The sort set is S = {c ,s } , tsiL has type 
<s,c>, and snoC has type <s,cs>. We have 
E C =1N, 

E = LIST (IN), T = IN X LIST (IN) , 
s s 

J^:xg «=> Xg X nil , 

P /s :<Xg,<a,x^» <*=» Bag:Xg = Add:<a,Bag:Xj> A a£Bag:x^ A Length :x Q >Length:x 
<Tl E is tsiL, and <72 e is snoC. 

tsiL is defined when Rest:x=nil so this condition is used as q^. snoC will 
decompose a non-nil list x into a number and a non-nil list when Restrx^nil, so 
we take this condition as q 2 « Our intended algorithm now has the form 

Select:Xg — if 

Rest:xg=nil -> <7l T *f c *tsiL:Xg Q 
Rest.-Xg^nil c2 T * (f c X Select) *snoC:Xg 
fi 

It remains to determine the output domain T c , the input and output conditions J c 
and P c for the auxiliary function f c , and the composition operators <TLp and 0"2^. 

E = LIST (IN) is made a well-founded set exactly as in the previous example 
s 

by defining Xg^x^ iff Length:xg > Lengthix^. snoC and tsiL clearly preserve 
this ordering. 

In pursuit of an output condition for a2^ (a relation dependent on the 
variables a Q , Zg, v, a^, and z^) , we first instantiate the separability condi- 
tion with the result 

V«ag,Zg>,<v,<a 1 ,z 1 >»6lN XLIST(JN)) X (T C X (IN X LIST (IN ) ) ) 

V<Xg,<u,x 1 »6 LIST(IN) X (IN X LIST(IN) ) 

[snoC:Xg = <u,x^> A Bag:x^ = Add: <a^,Bag:Zj> A a^£Bag:z^ A 
Lengthy > Lengthy A P„:<u,v> A OZ r :«ag,Zg>,<v,<a 1 ,z 1 >» 
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(4.8) 



=» Bagrxg = Md:<ag,Zg> A a Q _<Bag:Zg> A Length:x Q > LengthtZg]. 

lb create this formula the following substitutions were made 
cs replaces w2 

LIST(IN) replaces E and INXLIST(IN) replaces T 

s s 

IN replaces E c 

snoC:x 0 = <u,x^> replaces a , 2 E :<XQ,x 1 ,x 2 > 

Bagrx^ = Add: <a 1 ,Bag:z 1 > A a^Bagrz-^ A Lengthy > Lengthy 
replaces P^:<x.j ,<a-> ,z.->> 

Again we consider the goals in (4.8) one at a time. The goal 

a 0 <Bag:z Q 

is already expressed in the form we desire, so we can use it in <72 T . Consider 

the goal 

Bagrxg = Add:<a 0 ,Zg>. 

We have 

Bag:xg = Bag*Cons:<u,x^> (by hypothesis) 

= Add:<u,Bag:x^> 

= Add: <u,Add: <a^,z^» (by hypothesis) 

Suppose that we let u = v and thus let T c = IN, P c :<u,v>4=>u = v, and f c be Id. We 
have 

Add:<v,Add:<a^,z^» = Add:<ag,Zg>. 

This condition is expressed in the desired variables so we use it in OZp. 
Finally, consider the goal 

Length:Xg > Length:Zg. (4.9) 

In the following derivation we use Card:x to denote the cardinality of the bag 
x. We then have 

Length:Xg = LengtlvCOns: :<u,x^> 

= 1 + Length :x^ 

= 1 + Card *Add:<a^, Bag :z^> 

= 2 -i- Card *Bag :z^ 

= 2 + Length:z^. 



(using hypothesis 
Bag :x^=Add : <a . ,Bag : z^>) 
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Thus we have reduced (4.9) to 

2 + Length:z-^ > Ler>gth:Zg. 

Putting all these conditions together we obtain 

Add:<v,Add:<a 1 ,Bag:z 1 » = Add:<a 0 ,Bag:Zg> A 
a 0 <_Bag:zg A 2 + Length :z 1 >Length:z 0 

and use it as 02^,. We derive an input condition by reasoning forwards from 

snoC:Xg = <u,x^> A Bag:x^ = Add: <a-, ,Bag:z^> A a^_<Bag:z^ A Length:x^ > 
Lengthy A u = v 

towards a relation expressed in terms if the variables v, a^, and z^. The only 
useful inference seems to be 

a-^ ^Bag^ 

so we take this as the input condition and form the specification 

<TZ r :<v,<3^,z 1 » = <ag,z Q > such that a^Bagiz^ => a 0 £Bag:z 0 A 
Add:<v, Aid: <a^,Bag:z^>> = Add: <ag,Bag:Zg> A 2 + Length:z^ > Length:Zg 
where 0‘2 T :IN X (IN X LIST(IN ) ) IN X LIST (IN) 

A conditional program, call it Compose2, can be constructed satisfying this 
specification. 

Compose2:<v,<a^,z i » — if 

v£a^ <v,Cons:<a 1 ,z 1 »0 
v>_a-, -> <a, ,Cons:<v,Z 2 » 
fi 

We construct 01 T in a similar manner. The separability condition is par- 
tially instantiated yielding 

V«a 0 ,z 0 >,v>« IN x LISTON) ) X IN V<x Q ,u>6 LIST (IN) X IN 
[tsiL:x 0 = u A u = v 

=*> 3ag:xg = Add:<ag,3ag:Zg> A a 0 £Bag:z 0 > A Length:x 0 >Length:z 0 ] . (4.9) 

Dealing first with the goal 

Bag:xg = Add: <ag,Bag:Zg> 

ve have 

Bag:Xg = {u} = {v} 
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thus 



{v} = Add: <ag,Bag:z 0 > 



or equivalently 

a Q = v A z 0 = nil. 

Again the second goal a Q _<Bag:z 0 is already reduced to the desired form. Con- 
sider now the final goal 

Length : x Q >Length : z Q . 

We have Length :x Q = 1 thus the goal must reduce to 

Length :Z q = 0 

or equivalently, ZQ = nil. 

Putting together all these conditions we obtain 

OLj.:<Zg,v> ■*=» z Q =nil A ag = v 

and create the specification 

<yl T :v= <a ,z> such that z=nil A a = v. 
where crl T :LIST (]N ) IN X LIST (IN). 

The function Composel is easily shown to satisfy this specification: 

Composel:v = <v,nil>. 



The functions derived above are assembled into the following program: 

Select :xg =* if 

Rest:Xg=nil Gomposel^Id^tsiL^g Q 

Rest:XgXnil 0ompose2* (Id X Select) *snoC:Xg 

fi 

The complete selection sort program derived in this section is listed in Figure 
4. It can be transformed into the simpler program listed in Figure 1. 



5. More Examples 

5.1. Cartesian Product of Two Sets 

In this section we illustrate the design of a divide and conquer algorithm 
using design strategy DS3. The problem of forming the cartesian product of two 
sets can be specified by 
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CART_PROD: <x,x'> = z such that z= {<a,b>|a€x and b€x'} 
where CART_PROD:SET(IN ) X SET (IN ) SET(IN X IN ) . 

Here SET(R) denotes the data type of finite sets whose elements belong to the 
data type R. 

First, we choose a decomposition algebra on SEISIN ) X SET(IN ) and then a 
composition algebra on SET(INXIN). A simple decomposition algebra on sets is 
easily found: 

A1 = <{SET(3N) ,]N}, {Split, ihP}> 



where 

Al = SET (IN) 
s 

A1 C =IN 

al A1 = ihP:SET(R) {<>} (type <X ,s» 

<T2 A1 = Split : SET (R) RX SET (R) ( type <c3,s». 

ihP decomposes the empty set into the 0-tuple O and Split decomposes a nonempty 
set into an element and the remainder of the set. ihP is defined only on the 
empty set and Split is defined only on nonempty sets so together these operators 
decompose every finite set. 

However, our input domain is 2-tuples of sets. We shall apply the above 
decomposition operators to the first component of the tuple and leave the second 
unchanged. The result is the £ - ^-decomposition algebra 

A2 = <{IN X SET(]N) ,SET(IN) X SET (IN ) },{ ihP-1 , Trans • (Spli t X Id2)}>. 

where 



A 2 = SET (IN) X SET (IN) , 
s 

A2 C = IN X SET (IN ) , 

<rl E = ihP-1 :SET (IN) XSET(IN) -> {<>} (type <X,s» , 

<t2 e = Trans- (Spli tX Id2) :SET(IN) XSET(IN) (IN XSET(IN)) X (SET(IN) XSET(IN)) 

(type <cs,s>) . 

<t2 e makes use of two new functions. The function Id2 returns a 2-tuple contain- 
ing copies of its input, i.e., Id2:x= <x,x>. The function Trans transposes a 
tuple of tuples as follows 
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Trans :<x lf ...,x n > =<y 1 ,...,y m > 

where x^ = <x il ,...,x^ m > and yj = <x 1 j,...,x n j> for l£i£n and l£j£m. Fbr 
example, 

Trans:«l,2,3>,<4,5,6»= «1,4>,<2,5>,<3,6». 

<t 2 A 2 behaves as follows on input <{1,2,3}, {4, 5}>: 

Trans* (Split X Id2) :<{ 1,2,3} , {4,5} > = Trans :«1, {2,3} >,<{4,5} , {4,5} » 

= «1,{4,5}>, <{2,3},{4,5}». 

Before choosing a composition algebra for T we must decide what can the 

auxiliary output type T c be given that E c is IN XSET(IN). Since E c appears to 

be a slightly modified form of E ( = SET(IN ) X SET(IN ) ) we might conjecture that 

s 

the auxiliary function f is similar to the principal function f and thus use 

c s 

SET(INXIN) as T c . The composition operator <r2q. then is some mapping from 
SET (IN X IN ) X SET (IN X IN ) to SET(INXlN) - we can use the set-union operator 
Union. <Tl T is some mapping from {<>} to SET(INXIN) - we can use the function 
Phi, which maps the 0-tuple into the empty set. 

So far we have developed the program structure 
CP:<x,x’> = if 

x= {} -» Phi*Id 0 *ihP*l:<x,x'> 0 

x/O -> Union* (f Q X CP) *Trans* (SplitX Id2) ) :<x,x’> 0 
fi. 

In order to determine a specification for f Q we create the following instance of 
the separability condition 

V«x 0 ,x , 0 >,<a,x' 1 >,<x 2 ,x' 2 »€ ( SET ( IN ) XSET(IN)) X (3N X SET(3N ) ) X (SET (IN) X SET (IN)) 
V<z 0 ,z 1 ,z 2 >€SET(IN X IN) X SET (IN X IN ) XSET(IN X IN ) 

[Split :x 0 = <a,x 2 > A x'^x'g A x'^x'g ^ P c :« a 1 >,z 1 > A 
z 2 = {<u,v>|u€x 2 and v€x' 2 } A 

Zg = Union:<z^,z 2 > =» z Q = {<u,v>|u€ x Q and v€x'g} ]. (5.1) 

Since we are trying to reason backwards to an expression for P c :«a,x'^>,Zj> we 
seek to reduce the goal to a relation over the variables a, x'^, and z^. Con- 
sider the goal 



Zg = {<u,v>|u€xg and v€x'g}. (5.2) 

The set expression on the right hand side can be transformed as follows. 
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{<u,v>|u€xq and v€x'g} = {<u, v> I u€ Add: <a ,x 2 > and vfx'g} 

(since Split:x= <a,y>) 

= {<u,v>| (u = a or u€ x 2 ) and v€x'g} 

= Union:<{<u,v>|u= a and v€x'g}, {<u,v>|u€x 2 and v€x'g}> 

= Union:<{<u f v>|u= a and vCx'-^}, {<u,v>|u€x 2 and v€x' 2 }> 
(since x ' ^ = x 1 Q and x' 2 =x'g) 

= Union:<{<u f v>|u= a and v€x'^},z 2 >. 

(since z Q = {<u,v>|u€xg and v6x'g}). 

Using the hypothesis Zg = Union: <z^,z 2 > we reduce (5.2) to 

Union: <ZpZ 2 > = Union:<{<u,v>|u = a and v€x'^},z 2 > 

v^iich holds if 



z^ = {<u,v>|u=a and v€x'g} (5.3) 

holds. So if we take (5.3) as an additional hypothesis then (5.1) holds. We 
take (5.3) as our output condition for f c and create the specification 

CP_aux: <a ,x> = z such that z = {<u,v>|u=a and v€ x} 

CP_aux:IN X SET (IN) -» SET (IN) XSET(IN) . 

A divide and conquer algorithm for this problem can easily be constructed using 
design strategy ESI (along the same lines as Ssort) . Ihe complete algorithm for 
producing the cartesian product of two sets is listed in Figure 5. The reader 
can easily find several ways to simplify CP and CP_aux without affecting their 
correctness. 



5.2 Evaluating £ Proposition 

In this section we present a divide and conquer algorithm for evaluating a 
proposition. It provides an example of a more complex signature and illustrates 
a programming style suggested by our treatment of divide and conquer algorithms. 
Given a well-formed proposition F and an interpretation I the problem is to com- 
pute the truth value of F under I. Relevant portions of the abstract data types 
for propositions, interpretations, and truth values are presented below. 

A data type PROP representing well-formed propositions can be described 
abstractly as follows. Let LETTERS be a set of symbols called letters. PROP is 
generated from LETTERS using the constructors 
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CP:<x,x’> s if 

x= {} -> Phi*Id 0 *ihP*l:<x,x'> 0 

xXO -> Union* (CP auxX CP) •Trans* (Split X Id2) :<x,x'> 0 
fi. - 

CP_aux:<a,x> s if 

x= {} -» Phi*Id <> *ihP*2:<a,x> 0 

xX U Add* (Id X CP aux) *Trans* (Id2X Split) :<a f x> Q 
fi. ~ 

Figure 5. Forming the Cartesian Product of Two Sets. 



Compose_atom: LETTER -» PROP, which converts a letter into an atomic proposition, 
Ccmpose_neg:PROP — > PROP, which forms the negation of a proposition, 

Compose_conj : PROP X PROP PROP , which forms the conjunction of two propositions, 
Canpose_disj : PROP X PROP PROP, which forms the disjunction of two propositions. 
In other words we have 

< {PROP, LETTERS } , {Compose_atom, Compose_neg, Compose_con j, Compose_disj}> 

as a canposition algebra for PROP. Each of these constructors are uniquely 
invertible and we have the corresponding decomposition algebra 

<{ PROP, LETTERS}, {Deccmpose_atom, Decompose_neg , Decompose_con j , Decompose_disj}> 
where 

Decompose_atom:PROP -> LETTER, which decomposes an atomic proposition into its 
constituent letter, 

Decompose_neg : PROP PROP , which decomposes a negation into its constituent pro- 
position, 

Deccmpose_conj : PROP -*• PROP X PROP , which decomposes a conjunction into its con- 
stituent propositions, and 

Decompose_disj:PROP PROP X PROP, which decomposes a disjunction into its con- 
stituent propositions. 
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These decomposition operators are defined when the predicates Atom, Neg, Conj, 
Disj are true respectively. Fbr example, Atom:F holds exactly when 
Decompose_atom:F= oc for some oc€ LETTER. We also have F= Compose_atom:oc . 
Similarly, Conj:F holds iff Decompose_conj :F= <G,H> for some G,h€PROP and thus 
F= Ccmpose_conj:<G,H>. More formally the following axioms hold for all 
oc€ LETTER and F,G« PROP 

Decompose_atom*Compose_atom:oc =oc 

Decompose_neg*Compose_neg:F = F 

Decompose_conj *Cbmpose_conj : <F,G> = <F,G> 

Decompose_di s j •Compose_di s j : <F,G> = <F,G> 

Atom *Compose_a tom :oc = TRUE 

Neg •Compose_neg : F = TRJE 

Cbnj *Compose_conj : <F,G> = TRUE 

Disj*Compose_disj:<F,G> = TRUE 

The input for our proposition evaluater also includes an interpretation 
I € I INTERPRETATION Vvhich associates boolean values with each letter. We use the 
operator Assoc : LETTER X INTERPRETATION— » B to determine the value of a given 
letter inder an interpretation. 

The output domain for our proposition evaluater is IB, which has the compo- 
sition algebra 

<{B }, {Id,Not,And,Or}>, 



where 

Id:B-»B (the identity operator), 

Not:B -» B (the usual negation operator) , 

And:B X B — » B (the usual logical arri operator) , 

Or:B X B -» B (the usual logical or operator) . 

A divide and conquer algorithm, called Prop_eval, for evaluating a proposi- 
tion is listed in Figure 6. Here is an example computation of Prop_eval: Let F 
denote the representation of the proposition (A A B) V ~A and F^ and F 2 the 
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Prop_eval : <F, I> = 
if 



AtomrF -> 
Neg : F -> 
Conj:F -> 
Disj:F -» 



Id ‘Assoc* (Decompose_atomX Id) :<F,I> 0 
Not* Propjeval • (Decompose_neg X Id) : <F, I> Q 

And* (Prop_eval X Prop_eval) -Trans* (Decompose_conj X Id2) : <F, I> Q 
Or • (Prop_eval X Prop_eval) -Trans* (Decompose_disjX Id2) :<F,I> 0 



Figure 6. A Proposition Evaluator 



propositions A A B and -A respectively thus F= Oompose_Disj :<F-^ F 2 >. Let I be 
an interpretation under which letters A and B have the values TRUE and FALSE 
respectively. 

Prop_eval : <F, I> = Or • (Prop_eval X Prop_eval ) -Trans • (Decompose_dis j X Id2) : <F, I> 

(since Disj:F holds) 

= Or* (Propjeval X Prop_eval) *Trans:«F^,F 2 >,<I f I>> 

= Or • (Propjeval X Propjeval ) : «Fj , I > , <?2 • * >:> 

= Or:<FALSE,FALSE> 

= FALSE 

where Propjeval : <Fp I> and Prop_eval:<F 2 ,I> both evaluate to FALSE in a similar 
manner . 

6. Concluding Remarks 

We have presented a class of program schemes which provide a normal-form 
for expressing the structure of divide and conquer algorithms. Based on these 
schemes we have given a theorem relating the correctness of a divide and conquer 
algorithm to the correctness of its parts. The theorem gives rise to several 
strategies for designing divide and conquer algorithms and we used these stra- 
tegies to derive several algorithms. 

By using syntactic program schemes to express the structure of a diverse 
class of algorithms we have the disadvantage that some instances will not be in 
their most desireable form. However this approach to representing programming 
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knowledge has a number of important advantages. 1) Schemes express the essen- 
tial structure of algorithms in the class in a clear and precise way. 2) Gen- 
eric proofs of correctness, as provided here by Theorem 1, can be given. The 
correctness of a divide and conquer algorithm is reduced to the simpler task of 
establishing the conditions of Theorem 1. 3) By providing the essential struc- 
ture of algorithms in a class schemes may suggest uniform approachs to designing 
then. 

The design strategies we have presented involve choices which may be weakly 
motivated and we may need to try several alternatives before we find one which 
works. The resulting design process can be represented by a tree of derivation 
paths, some of which lead to useful algorithms, some of which are dead ends. 
Aside from this control problem the design strategies can be formalized for use 
in automatic program synthesizers. However at present it is not clear whether 
an adequate collection of heuristics can be found to guide an automated design 
process through the design space without human insight. 

The top-down style of programming suggested by our design strategies can be 
summarized as follows. First we require a clear understanding of the problem to 
be solved, expressed formally by specifications. If a divide and conquer solu- 
tion seems both possible and desireable we begin to explore the input and/or 
output domains looking for simple decomposition and composition algebras respec- 
tively. Depending on our choice we follow one of the design strategies dis- 
cussed above. Using our intuition and/or proceeding formally using the separa- 
bility condition we derive specifications for the unknown operators in our pro- 
gram. These specifications are then satisfied either by target language opera- 
tors or by (recursively) designing algorithms for them. Once a correct but pos- 
sibly over-structured or inefficient algorithm has been constructed we subject 
it to equivalence-preserving transformations resulting in a more satisfactory 
design. 
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